b' U.S. Agency for\n  I NTERNATIONAL\n   D EVELOPMENT\n\nWashington, D.C.\n\n\nMay 14, 2001\n\nMEMORANDUM FOR A-CIO, Peter Benedict\n\nFROM: IG/A/ITSA, Melinda G. Dempsey\n\nSUBJECT: Audit of USAID\xe2\x80\x99s Compliance with Internet Privacy Policies\n         (Report No. A-000-01- 001-P)\n\nThis memorandum is our report on the subject audit. Thank you for the level\nof importance you attach to individual privacy issues. Your comments on\nthe draft report are included in Appendix II.\n\nThis report contains two recommendations for your action. Based on your\ncomments, management decisions have been reached on these\nrecommendations. The Office of Management Planning and Innovation\n(M/MPI/MIC) will make a determination of final action for these\nrecommendations when planned corrective actions are completed.\n\nI appreciate the cooperation and courtesy extended to my staff during the\naudit.\n\n\n\n\n                                                                      Page 1 of 13\n\x0cTable of   Summary of Results                                           3\nContents\n B         Background                                                   3\n\n           Audit Objectives                                             4\n\n           Audit Findings                                               5\n\n           Does USAID collect or enter into agreements with third\n           parties to obtain personally identifying information about\n           individuals who access the Agency\xe2\x80\x99s website?                 5\n\n           Does USAID post privacy notices and restrict the use of\n           Internet cookies in accordance with Office of Management\n           and Budget Memoranda M-99-18 and M-00-13?                    5\n\n           Management Comments and Our Evaluation                       9\n\n           Appendix I - Scope and Methodology                           10\n\n           Appendix II - Management Comments                            12\n\n\n\n\n                                                                        Page 2 of 13\n\x0cSummary of   This report discusses how the agency collects personally identifying\nResults      information and describes our assessment of USAID\xe2\x80\x99s compliance with the\n             Office of Management and Budget\xe2\x80\x99s requirements to post privacy policies\n             on websites and to limit use of Internet cookies 1 , except under certain\n             conditions. The specific objectives of the audit are to determine whether:\n             (1) USAID collects through its own efforts or obtains from third parties\n             personally identifying information about visitors to its public website\n             [page 5] and (2) USAID complies with federal guidance related to protecting\n             Internet users\xe2\x80\x99 privacy when visiting federal websites [page 5].\n\n             Our audit work documented that USAID does collect personally identifying\n             information from website visitors [page 5]. In addition, based on\n             management representations, USAID has not entered into any agreements\n             with third parties to obtain personally identifying information related to\n             website users\xe2\x80\x99 viewing habits [page 5].\n\n             Our work also indicated that USAID does comply with federal regulations\n             that require agencies to post privacy notices on their websites [page 5].\n             However, USAID does not fully comply with requirements that govern the\n             use of Internet cookies [page 6], nor does it adequately safeguard personal\n             information collected [page 8].\n\n             The acting Chief Information Officer (CIO) has agreed with the report and is\n             planning to implement both recommendations [page 9].\n\n\nBackground   As the Internet pervades the personal and work lives of Americans, greater\n             focus is placed on protecting personal privacy. The Congress has long\n             recognized the importance of privacy in American society. The Privacy Act\n             of 1974 requires that federal agencies protect an individual\xe2\x80\x99s right to privacy\n             when they collect personal information. This concern was continued by\n             enactment of the Treasury and General Appropriations Act of 2001 which\n             states that:\n\n                      Not later than 60 days after the date of enactment of this\n                      Act, the Inspector General of each department or agency\n                      shall submit to Congress a report that discloses any\n                      activity of the applicable department or agency relating to--\n\n\n\n                      1\n                        A cookie is a text data file that is sent from a web server to a web browser when the\n             browser accesses a web page. Cookies allow the web server to recognize a user who returns\n             to a particular site. Cookies can be used to track on-line purchases or to maintain and serve\n             customized web pages.\n\n\n\n                                                                                                Page 3 of 13\n\x0c                                  (1) the collection or review of singular data, or the creation\n                                      of aggregate lists that include personally identifiable\n                                      information, about individuals who access any Internet\n                                      site of the department or agency; and\n                                  (2) entering into agreements with third parties, including\n                                      other government agencies, to collect, review, or obtain\n                                      aggregate lists or singular data containing personally\n                                      identifiable information relating to any individual\'s access\n                                      or viewing habits for governmental and nongovernmental\n                                      Internet sites.\n\n                   The Office of Management and Budget (OMB) has provided specific\n                   guidance to agencies to help protect privacy. This guidance is primarily in\n                   the form of two memoranda to agencies. The first, Memorandum M-99-18,\n                   provides criteria for posting privacy notices on federal websites. The\n                   second, Memorandum M-00-13, addresses Internet cookies, text or data files\n                   stored on a visitor\xe2\x80\x99s computer. The memorandum provides that cookies may\n                   not be created by a federal website unless certain requirements are met.\n\n                   At USAID several offices have responsibilities over USAID\xe2\x80\x99s website. The\n                   Chief Information Officer (CIO) is responsible for directing, managing, and\n                   providing policy guidance and oversight with respect to all USAID\n                   information resource management activities. The Bureau for Legislative and\n                   Public Affairs (LPA) is responsible for the review of USAID produced or\n                   funded materials available to the public on the Internet. The Bureau for\n                   Management, Office of Information Resources Management (M/IRM) is\n                   responsible for operating USAID\xe2\x80\x99s external website.\n\n\n\nAudit Objectives   The Congress, as part of Treasury and General Appropriations Act of 2001,\n                   mandated the first objective of this audit. The second objective was to test\n                   agency compliance with existing federal guidance. As a result, the\n                   objectives of this audit were to answer the following questions:\n\n                   Does USAID collect or enter into agreements with third parties to\n                   obtain personally identifying information about individuals who access\n                   the Agency\xe2\x80\x99s website?\n\n                   Does USAID post privacy notices and restrict the use of Internet cookies\n                   in accordance with Office of Management and Budget Memoranda\n                   M-99-18 and M-00-13?\n\n                   A detailed discussion of our scope and methodology is presented in\n                   Appendix I.\n\n\n\n\n                                                                                           Page 4 of 13\n\x0cAudit Findings   Does USAID collect or enter into agreements with third parties to\n                 obtain personally identifying information about individuals who\n                 access the Agency\xe2\x80\x99s website?\n\n                 USAID collects limited personal information about visitors and is unaware\n                 of any third party agreements to collect personal information. Information\n                 such as a visitor\xe2\x80\x99s computer Internet address and date and time of access\n                 are collected in website log files. Visitor names, e-mail addresses, and\n                 any other information that the visitor provides is also solicited and\n                 collected from visitors who have comments or suggestions. USAID\n                 discloses the types of information collected and how it will be used in\n                 privacy notices posted on the website. Privacy notices are discussed in\n                 more detail under the second audit objective below.\n\n                 According to USAID management, USAID does not have any agreements\n                 with third parties to collect, review, or obtain aggregate lists or singular data\n                 containing personally identifiable information relating to any individual\xe2\x80\x99s\n                 access or viewing habits for its Internet sites. We consider the likelihood\n                 that USAID has agreements of this nature to be low, but the cost of extensive\n                 verification would be high because of the many contracts USAID has with\n                 partners and vendors. Accordingly, we limited our verification efforts to\n                 discussions with management responsible for the USAID privacy program\n                 and with management responsible for website content.\n\n                 Does USAID post privacy notices and restrict the use of Internet\n                 cookies in accordance with Office of Management and Budget\n                 Memoranda M-99-18 and M-00-13?\n\n                 USAID includes a privacy notice on its websites that complies with OMB\n                 Memorandum M-99-18. However, USAID does not fully comply with\n                 OMB Memorandum M-00-13 requirements on using cookies on federal\n                 websites. These two issues are detailed in the following sections of this\n                 report.\n\n                 USAID Does Comply with OMB\xe2\x80\x99s Requirements on Privacy Notices\n\n                 OMB Memorandum M-99-18 requires agencies to post privacy policies in\n                 accordance with the following.\n\n                     \xe2\x80\xa2   Privacy policies must be posted on agency websites, at major entry\n                         points to sites, and on any page where substantial personal\n                         information is collected from the public;\n\n\n\n\n                                                                                           Page 5 of 13\n\x0c   \xe2\x80\xa2   Policies must clearly and concisely inform visitors to the site what\n       information the agency collects about individuals, why the\n       information is collected, and how the information is used; and\n\n   \xe2\x80\xa2   Policies must be clearly labeled and easily accessed.\n\nSpecifically, links to USAID\xe2\x80\x99s privacy notice are prominently posted on\nthe main webpage and on other major points of entry to USAID\xe2\x80\x99s website.\nThe notice informs visitors to the site that USAID collects domain name,\nthe date and time the site was accessed, and the Internet address of the\nwebsite from which the visitor was linked directly to USAID\xe2\x80\x99s site. The\npolicy outlines that the Agency collects statistics on which webpages\nvisitor\'s view at the website. It also clearly indicates that information is\ncollected for site management and, in the case of suspected unauthorized\nactivity, for law enforcement and possible criminal prosecution. Visitors\nare also informed that personally identifying information is collected when\nsending an e-mail message. This information is then used to respond to\ncomments or suggestions. Finally, the privacy notices policies are clearly\nlabeled and easily accessed.\n\nUSAID Does Not Fully Comply with OMB\xe2\x80\x99s Requirements on\nCookies\n\nOMB Memorandum M-00-13 states that \xe2\x80\x9cthe presumption should be that\n\xe2\x80\x98cookies\xe2\x80\x99 will not be used\xe2\x80\x9d on federal websites. Nevertheless, if cookies are\nused, the following criteria must be met.\n\n   \xe2\x80\xa2   The site must give clear and conspicuous notice that cookies\n       are used;\n\n   \xe2\x80\xa2   A compelling need to gather data on the site must exist;\n\n   \xe2\x80\xa2   Appropriate and publicly disclosed privacy safeguards must\n       be in place to protect any information derived from cookies;\n       and\n\n   \xe2\x80\xa2   The agency head must give personal approval for the use of\n       the cookie.\n\nUSAID was aware of the requirements of M-00-13 and was attempting to\ncomply with the guidance. However, when we searched a copy of USAID\xe2\x80\x99s\nwebsite, we found two webpages that caused cookies to be created. Both\ncookies did not meet all the conditions for use under the OMB\xe2\x80\x99s\nmemorandum.\n\n\n\n\n                                                                       Page 6 of 13\n\x0cIn the first instance, USAID developed an application, which used cookies to\ncollect and store information that can be associated with a particular person.\nUSAID did not intend for the application that created the cookie to be\navailable to the public. However, in order to demonstrate the functionality\nof the application to a remote party, USAID placed the application on the\npublic website but did not provide any links or indication to the public that it\nexisted. While on the website, the application could only have been\naccessed by visitors who knew its webpage address. Notwithstanding that\nthe application was not publicized nor readily available to the public, it was\naccessible on the website and the cookie it created did not comply with any\nof the requirements of OMB M-00-13.\n\nIn the second instance, a USAID application, which allowed visitors to\nsearch for past contract awards information, created a cookie on a site\nvisitor\xe2\x80\x99s computer. USAID disclosed the use of this cookie in the web\npage\xe2\x80\x99s privacy notice but did not attempt to ensure that the other conditions\nof OMB M-00-13 were met before using the cookie. At the time,\nmanagement did not believe that this particular cookie was subject to the\nOMB memorandum. In practice, a cookie can be classified as either a\n\xe2\x80\x9csession\xe2\x80\x9d or as a \xe2\x80\x9cpersistent\xe2\x80\x9d cookie. Session cookies are not saved on a\nvisitor\xe2\x80\x99s computer after disconnecting from the Internet. Persistent cookies\nremain on a visitor\xe2\x80\x99s computer indefinitely or until they are deleted. After\nissuing M-00-13, OMB clarified its position on using cookies to state that the\nfour conditions cited above applied only to using persistent cookies 2 .\nUSAID mistakenly believed that the cookie created by this application was a\nsession cookie and therefore not subject to M-00-13.\n\nSubsequent to our audit, USAID management has removed the sources of\nboth cookies from the website. The previously cited conditions resulted\nbecause procedures and monitoring activities are not in place to ensure\ncomplete compliance with the policy. By USAID not complying with the\npolicy, USAID\xe2\x80\x99s visitors to the website may not have been aware that\ninformation was collected about them, how this information was being used,\nand how this information was being safeguarded.\n\n        Recommendation No. 1: We recommend that the Chief\n        Information Officer require USAID\xe2\x80\x99s, Office of\n        Information Resources Management to periodically\n        search USAID\xe2\x80\x99s external website for cookies that do not\n        comply with OMB M-00-13.\n\n\n\n        2\n          See September 5, 2000, letter from John T. Spotilla, Administrator, Office of\nInformation and Regulatory Affairs, Office of Management and Budget to Roger Baker, Chief\nInformation Officer, U.S. Department of Commerce.\n\n\n\n                                                                             Page 7 of 13\n\x0cUSAID Does Not Adequately Safeguard Personal Information\n\nOMB Memorandum M-00-13\xe2\x80\x99s third requirement, that appropriate privacy\nsafeguards must be in place to protect any information derived from cookies,\ncan be extended to information solicited from visitors. Personal information\ncollected on USAID websites is protected by operating system security on\nthe web server. However, access to this server is not restricted by the\nagency\xe2\x80\x99s firewall, a combination of hardware and software specifically\ndesigned to provide a greater level of security to computer networks.\nFirewalls are desirable to protect sensitive data and networks from intrusion\nand unauthorized use.\n\nUSAID solicits visitor feedback on the website via forms. Forms are web\npages that include fields for the user to voluntarily provide information to the\nweb server. The form collects the visitor\xe2\x80\x99s name and address and any other\npersonally identifiable information that is typed into the form by the site\nvisitor. This information is logged in a file and is used to respond to visitor\ninquiries. Presently, USAID does not have a policy, together with\nprocedures and monitoring activities, to ensure that personally identifying\ninformation collected by web servers or applications is adequately\nsafeguarded.\n\n        Recommendation No. 2: We recommend that the Chief\n        Information Officer require that security policies,\n        procedures, and monitoring activities are formulated to\n        ensure that personally identifying information collected\n        by web servers or applications is adequately safeguarded.\n\n\n\n\n                                                                         Page 8 of 13\n\x0cManagement       USAID removed the cookies that did not comply with OMB-00-13 and\nComments and     removed personally identifying information from the external web servers.\nOur Evaluation   The acting Chief Information Officer has agreed with the report and is\n                 planning to implement both recommendations. Consequently,\n                 management decisions have been reached on Recommendation Nos. 1\n                 and 2.\n\n                 Management\xe2\x80\x99s complete response is included in this report in Appendix II.\n\n\n\n\n                                                                                    Page 9 of 13\n\x0c                                                                                       Appendix I\n\n\nScope and     Scope\nMethodology\n              The Office of the Inspector General in Washington conducted an audit, in\n              accordance with generally accepted government auditing standards, to\n              determine if USAID was collecting, reviewing, or creating aggregate lists\n              that include personally identifying information about individuals who access\n              the Agency\xe2\x80\x99s website. The audit encompassed all files and applications that\n              comprised USAID\xe2\x80\x99s external website located at \xe2\x80\x9cwww.usaid.gov\xe2\x80\x9d as of\n              January 20, 2001. Because Internet cookies can be used to collect personally\n              identifying information, the audit also determined whether the cookies being\n              used on the website were used in accordance with OMB Memorandum\n              M-00-13. The audit reviewed privacy notices on the website for compliance\n              with OMB Memorandum M-99-18. The audit was conducted from January\n              19, 2001, through March 28, 2001.\n\n              Methodology\n\n              To answer the question raised in the first audit objective, we held\n              discussions with the following USAID bureaus : Bureau for Legislative\n              and Public Affairs (LPA); Bureau for Management, Office of Information\n              Resources Management (M/IRM); and Bureau for Management, Office of\n              Assistant Administrator (M/AA). The Deputy Assistant Administrator\n              serves as the Chief Information Officer.\n\n              In considering the likelihood that USAID would enter into an agreement\n              with a third party to obtain personally identifying information, we noted\n              targeting advertising, identification of personal assets, and identification of\n              other information to support an entitlement or a claim to be factors that could\n              motivate an agency to collect personally identifying information. We\n              consider the likelihood that USAID has agreements of this nature to be low,\n              but the cost of extensive verification would be high because of the many\n              contracts USAID has with partners and vendors. Accordingly, we limited\n              our verification efforts to discussions with management responsible for the\n              USAID privacy program and with management responsible for website\n              content.\n\n              We obtained a copy of all the USAID web files from the web server and\n              from the application server. These files were searched using the \xe2\x80\x9cFind\n              File\xe2\x80\x9d functionality included with Windows 95. We searched for syntax\n              that would have been used to set cookies using the following\n              programming languages: Cold Fusion, Java, JavaScript, PERL, Active\n              Server Pages, and VBScript.\n\n\n\n\n                                                                                     Page 10 of 13\n\x0cThis search covered all files that were on the web server as of January 20,\n2001. We set our materiality threshold for the audit as any occurrence of a\nnon-compliant cookie.\n\nUSAID management gave us a copy of the Internet files on compact disc\nas of January 20, 2001. Due to the number and size of the data and due to\nthe fact that we received the disc after January 20, 2001, we relied on\nmanagement\xe2\x80\x99s representation that the discs contain a complete set of the\nactual files that were available to the public. To provide assurance that we\nreceived all files, we judgmentally selected 30 links off the main webpage.\nWithout exception, the links were found in the files provided on the discs.\n\nWe reviewed security logs and web server logs to note whether personally\nidentifying information was being collected in the logs. Discussions were\nheld with M/IRM on its policies and procedures for operating websites and\nusing information obtained from users of the sites.\n\nTo answer the question raised by the second objective we reviewed any\ncookies that we found on the website for compliance with OMB\nMemorandum M-00-13, and we reviewed the website policy notices for\ncompliance with OMB Memorandum M-99-18.\n\n\n\n\n                                                                    Page 11 of 13\n\x0c                                                                                                                      Appendix II\n\n\nManagement\nComments\n\n\n\n\nU.S. AGENCY FOR                                                                       May 11, 2001\nINTERNATIONAL\nDEVELOPMENT\n\n\n\n\n             T0:              OIG/A/ITSA, Melinda Dempsey\n             THROUGH:         A-AA/M, Richard C. Nygard\n             FROM:            A-CIO, Peter Benedict\n             SUBJECT: Management Comments on Draft "Audit of USAID\'s Compliance\n             with Internet Privacy Policies"\n                   USAID management takes the issue of protecting individual\n             privacy seriously, and has taken prompt action to increase the\n             already substantial compliance with the OMB guidance on cookies and\n             protection of personally identifying information. Before this audit\n             started, the CIO was in the process of establishing an intensified\n             program of privacy protection. Efforts to protect individual privacy\n             will continue.\n                   Regarding Recommendation No. 1: "We recommend that the Chief\n             Information Officer require USAID\'s, Office of Information Resources\n             Management to periodically search USAID\'s external website for cookies\n             that do not comply\n             with OMB M-00-13."\n                   We acknowledge that the OIG found two instances of persistent\n             cookies on USAID managed web sites, which were promptly removed, once\n             found. Even though this number was low, we consider that any level of\n             non-compliance on this issue requires action.\n                   The CIO agrees to task appropriate staff to periodically search\n             USAID\'s identified1 external websites for cookies that do not comply\n             with OMB M-00-13. We plan\n\n\n             _________________\n             1\n              USAID funds a wide range of web-site operated by contractors. Many are funded by USAID missions overseas. At present\n             we do not have a complete inventory of these sites. Within he limit of available funds the CIO will work with partners in\n             USAID to identify these sites so that the necessary search for cookies can be conducted.\n\n\n\n\n                                                                                                                      Page 12 of 13\n\x0cto close the recommendation when the process for this search is\nestablished and in operation.\n     Regarding Recommendation No. 2: "We recommend that the Chief\nInformation Officer require that security policies, procedures, and\nmonitoring activities are formulated to ensure that personally\nidentifying information collected by web servers or applications is\nadequately safeguarded".\n   We agree that personally sensitive information was stored on a\nserver that was effectively outside USAID\'s firewall protections, and\nthat this was not approved as appropriate.\n     To ensure the immediate protection of personally identifying\ninformation while Recommendation 2 is implemented, all such personally\nidentifying information has been removed from the external web server\nwhere its security was in question.\n     The CIO agrees to require the development of security policies,\nprocedures, and monitoring activities to ensure that personally\nidentifying information collected from the public is adequately\nsafeguarded. When these are approved and in operation, we plan to\nclose this recommendation.\n\n\n\n\n                                                             Page 13 of 13\n\x0c'